Re: Samba and SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Tue, 2006-04-11 at 00:04 -0400, Tim Largy wrote:
> I have two Samba shares on my FC5 box. After upgrading FC3 -> FC5, my
> Windows machine couldn't access either of my Samba shares. The first
> share is a subdirectory of my home directory, e.g. /home/me/share. The
> second share is /somewhere/else. I got my first share working again by
> doing the following:
> # whoami
> root
> # chcon -Rt samba_share_t /home/me/share
> # togglesebool samba_enable_home_dirs
> # service smb restart
> I understand the above isn't a permanent solution because at the next
> reboot or relabeling, I would have to enter those commands again, but
> I'm not concerned about that right now.

Let's address it anyway. There is no need to change the context type of
your home directory (or subdirectory of it) to samba_share_t. According
to "man samba_selinux", setting the samba_enable_home_dirs boolean will
enable samba sharing of home directories, and there's no need for a
context change. So you can change the context back using:

# chcon -Rt user_home_t /home/me/share

In order to make this setting survive a reboot, you can do:

# setsebool -P samba_enable_home_dirs 1

There will be no need to worry about a relabel because you will not have
changed any contexts from the default.

> What I want to do is get my
> second share working; I tried doing this:
> # chcon -Rt samba_share_t /somewhere/else
> # service smb restart
> but that wasn't sufficient. Potentially relevant information about
> this share is that it is set up in /etc/samba/smb.conf like this:
> [public]
>    path = /somewhere/else
>    public = yes
>    only guest = yes
>    writable = yes
>    printable = no
> Any advice on how to get it working again?

I'd like to know where /somewhere/else actually is before answering
that. Changing the context of something that *should* have some other
specific context might break things in an unexpected way.

If you've set up some area specifically for sharing data, like for
instance /srv/public (using directories under /srv is a good place for
this sort of thing), you can do:

# chcon -Rt public_content_rw_t /srv/public

The "public content" type is readable by a variety of different servers
such as samba, httpd, ftpd, rsync etc. You can select which one(s) of
them is/are allowed to write to the area using a separate boolean for
each. So for samba, you'd use:

# setsebool -P allow_smb_anon_write 1



[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux